VOOZH about

URL: https://apify.com/wonderful_beluga/ghost-exploit-synthesizer

โ‡ฑ Ghost Exploit Synthesizer ยท Apify

Pricing

Pay per usage

Go to Apify Store

Pricing

Pay per usage

Rating

0.0

(0)

Developer

๐Ÿ‘ Zaher el siddik

Zaher el siddik

Maintained by Community

Actor stats

0

Bookmarked

1

Total users

0

Monthly active users

a month ago

Last modified

Categories

Share

Ghost-Target: Exploit Synthesizer

Actor 3 of 3 in the Ghost-Target Autonomous Red Team Pipeline.

Reads vulnerability findings from the shared KV Store, sends them to GPT-4o with a red-team system prompt, and receives back realistic multi-stage attack chains. Sends rich Slack Block Kit alerts with MITRE ATT&CK mapping, CISA KEV highlights, and a one-click re-scan button that re-triggers the full pipeline directly from Slack. Tracks historical drift to alert only on what changed since last scan.

What It Does

Phase 1 โ€” Load & Filter Findings

Reads findings__{domain} from the shared KV Store โ€” the enriched Nuclei output written by Actor 2. Filters to findings at or above minChainSeverity to focus the LLM on the most exploitable surface.

Phase 2 โ€” GPT-4o Attack Chain Synthesis

Sends the top findings to GPT-4o with a specialized red-team system prompt:

"You are an elite red team lead and offensive security expert. Analyze raw vulnerability findings and synthesize them into realistic, multi-stage attack chains. Think like an APT actor."

The model returns up to 3 attack chains per run, each containing:

  • Entry point (exact asset + vulnerability)
  • Step-by-step attack path (max 5 steps, specific asset names)
  • Likelihood assessment
  • Business impact summary
  • MITRE ATT&CK tactic mapping
  • Remediation priority

Phase 3 โ€” MITRE ATT&CK Enrichment

Each chain's tactic list is further enriched by cross-referencing the finding tags against a built-in ATT&CK mapping:

Finding TagATT&CK Tactics
exposure / secretsT1552 - Unsecured Credentials, T1530 - Cloud Storage
misconfigT1190 - Exploit Public-Facing App, T1133 - External Remote Services
default-loginT1078 - Valid Accounts, T1110 - Brute Force
takeoverT1584 - Compromise Infrastructure
leaked-credentialT1078 - Valid Accounts, T1552.001 - Credentials in Files

Phase 4 โ€” Slack Block Kit Alerting

Sends a rich formatted alert to Slack for each chain at or above the severity threshold. The Block Kit payload includes:

  • Chain ID, severity badge (๐Ÿ”ด๐ŸŸ ๐ŸŸก), entry point, target
  • Step-by-step attack path in a code block
  • Business impact statement
  • CISA KEV findings callout (โš ๏ธ)
  • MITRE ATT&CK tactic list
  • Remediation priority

One-Click Re-Scan button โ€” links directly to the Apify Console with pre-filled input to re-run Actor 1 against the same domain. No copy-pasting, no context switching.

View Full Report button โ€” links to the current actor run's output in the Apify Console.

Phase 5 โ€” Drift Alert

If new CISA KEV findings appeared since the last scan that weren't there before, a separate DRIFT ALERT is sent to Slack โ€” even if no new attack chains were synthesized. Includes a red "Re-Scan Now" button.

Phase 6 โ€” Persist Report

Saves the full synthesis report to report__{domain} in the shared KV Store for use in future drift comparisons.

Input

FieldTypeRequiredDefaultDescription
targetDomainstringโœ…โ€”Root domain. Must match Actors 1 and 2
openaiApiKeystringโœ…โ€”OpenAI API key (sk-...)
globalKvsNamestringโ€”ghost-target-brainShared KVS name. Must match Actors 1 and 2
apifyApiTokenstringโ€”โ€”Apify API token. Required when triggered by Actor 2 โ€” automatically forwarded
openaiModelstringโ€”gpt-4oGPT model to use (gpt-4o, gpt-4-turbo, gpt-4, gpt-3.5-turbo)
slackWebhookUrlstringโ€”โ€”Slack incoming webhook URL for Block Kit alerts
shadowDiscoveryActorIdstringโ€”โ€”Actor 1's ID โ€” used to generate the one-click re-scan URL in Slack
minChainSeveritystringโ€”highOnly alert on chains at or above this severity (low / medium / high / critical)
historicalDiffEnabledbooleanโ€”trueCompare with previous scan to detect newly opened attack surface

Output

Dataset

One row per synthesized attack chain:

{
"chainId":"CHAIN-A1B2C",
"severity":"critical",
"entryPoint":"Exposed .env file at https://dev.example.com/.env containing DB_PASSWORD and AWS_SECRET_ACCESS_KEY",
"targetAsset":"Production PostgreSQL database and AWS S3 buckets",
"steps":[
"Fetch dev.example.com/.env via HTTP GET (nuclei: exposure/config/exposed-env-file)",
"Extract DB_HOST=db.example.com, DB_PASSWORD=s3cr3t, AWS_SECRET_ACCESS_KEY=AKIA... from file",
"Connect to db.example.com:5432 using extracted credentials (open port confirmed by Shodan)",
"Dump users table containing 450k PII records",
"Use AWS_SECRET_ACCESS_KEY to list and exfiltrate S3 bucket: example-customer-backups"
],
"likelihood":"high",
"impactSummary":"Full production database compromise and cloud storage exfiltration exposing 450k customer records โ€” GDPR and PCI-DSS breach event.",
"mitreTactics":[
"T1552.001 - Credentials in Files",
"T1190 - Exploit Public-Facing Application",
"T1530 - Data from Cloud Storage"
],
"remediationPriority":"CRITICAL: Remove .env from web root immediately. Rotate DB credentials and AWS keys. Restrict port 5432 to VPN only.",
"notifiedAt":"2026-05-15T10:01:23.000Z",
"domain":"example.com",
"synthesizedAt":"2026-05-15T10:01:20.000Z"
}

Key-Value Store (ghost-target-brain)

Writes report__{domain}:

{
"domain":"example.com",
"synthesizedAt":"2026-05-15T10:01:20.000Z",
"chains":[...],
"topFindingsSnapshot":[...],
"stats":{
"totalFindings":12,
"highCritical":7,
"kevMatches":1,
"chainsGenerated":3,
"alertsSent":2
}
}

Actor Output (OUTPUT)

{
"totalFindings":12,
"highCritical":7,
"kevMatches":1,
"chainsGenerated":3,
"alertsSent":2
}

Slack Alert Preview

๐Ÿ”ด Ghost-Target Alert: Attack Chain on example.com
โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”
Chain ID: CHAIN-A1B2C Severity: ๐Ÿ”ด CRITICAL
Entry Point: Exposed .env on dev.example.com
Target: Production database + S3 buckets
Likelihood: HIGH CISA KEV: โš ๏ธ 1
Attack Steps:
1. Fetch dev.example.com/.env via HTTP GET
2. Extract DB_PASSWORD, AWS_SECRET_ACCESS_KEY
3. Connect to db.example.com:5432 (open port)
4. Dump users table โ€” 450k PII records
5. Exfiltrate S3 bucket: example-customer-backups
Business Impact:
 GDPR breach event. 450k customer records exposed.
MITRE ATT&CK: T1552.001, T1190, T1530
Remediation: Remove .env immediately. Rotate credentials.
โš ๏ธ CISA KEV Matches:
 โ€ข CVE-2021-44228 โ€” Apache Log4j RCE on api.example.com (added 2021-12-10)
[ ๐Ÿ” One-Click Re-Scan ][ ๐Ÿ“Š View Full Report ]

Usage Examples

Standalone (after Actors 1 and 2 have run)

{
"targetDomain":"example.com",
"globalKvsName":"ghost-target-brain",
"apifyApiToken":"apify_api_xxxxxxxxxxxxxxxxxxxxxxxx",
"openaiApiKey":"sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"slackWebhookUrl":"https://hooks.slack.com/services/T.../B.../xxxx",
"shadowDiscoveryActorId":"YOUR_USERNAME/ghost-shadow-discovery",
"minChainSeverity":"high"
}

Force synthesis on all findings (including medium/low)

{
"targetDomain":"example.com",
"globalKvsName":"ghost-target-brain",
"apifyApiToken":"apify_api_xxxxxxxxxxxxxxxxxxxxxxxx",
"openaiApiKey":"sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"minChainSeverity":"low",
"historicalDiffEnabled":false
}

Setting Up Slack Notifications

  1. Go to api.slack.com/apps โ†’ Create New App โ†’ From scratch
  2. Navigate to Incoming Webhooks โ†’ Enable โ†’ Add New Webhook to Workspace
  3. Choose your alert channel (e.g. #security-alerts)
  4. Copy the webhook URL (https://hooks.slack.com/services/...)
  5. Paste it into the slackWebhookUrl input

Model Selection

ModelSpeedCostBest For
gpt-4oFastMediumDefault โ€” best balance
gpt-4-turboMediumMediumHigh-context scans
gpt-4SlowHighMaximum reasoning quality
gpt-3.5-turboVery fastLowBudget runs, testing

For real-world red team reporting, gpt-4o or gpt-4-turbo recommended.

Legal Notice

This tool is for authorized penetration testing and security research only. The AI-synthesized attack chains are for defensive awareness โ€” to help security teams understand and prioritize remediation. Never use this output to conduct unauthorized attacks.

You might also like

Ghost Email Scraper - Advanced, Fast & Cheapest

contacts-api/ghost-email-scraper-fast-advanced-and-cheapest

๐Ÿ‘ป Ghost Email Scraper helps you find writer and publication emails from Ghost-powered sites ๐Ÿ” Ideal for content marketing and partnerships ๐Ÿ“ง

Ghost Email Scraper โ€“ Advanced, Cheapest & Reliable ๐Ÿ“งโšก

contactminerlabs/ghost-email-scraper---advanced-cheapest-reliable

๐Ÿ” Scrape Ghost.org Emails Enter your search parameters to collect verified contact emails from public Ghost profiles, along with profile title, bio, source URL & platform info โœ‰๏ธ๐Ÿ“Š Perfect for lead generation, influencer outreach & data enrichment in tools like Google Sheets or CRMsโšก๐Ÿงฉ

๐Ÿ‘ User avatar

ContactMinerLabs

5

Ghost Explore Newsletter Directory Scraper

jungle_synthesizer/ghost-explore-newsletter-directory-scraper

Scrapes the Ghost Explore newsletter directory (explore.ghost.org), listing Ghost-hosted publications with member counts, descriptions, newsletter URLs, social links, and category tags. Covers ranking pages (Top Members, Top Revenue, Trending, Recent) and 30+ topic categories.

๐Ÿ‘ User avatar

BowTiedRaccoon

2

Ghost Job Detector

badruddeen/ghost-job-detector

Identify ghost, fake, or reposted LinkedIn and company jobs. Monitors listings, extracts signals, and calculates a Hiring Likelihood Score to help job seekers focus on genuine opportunities.

๐Ÿ‘ User avatar

Badruddeen Naseem

13

EPSS Exploit Prediction Scoring System Scraper

parseforge/epss-exploit-prediction-scraper

Scrape EPSS (Exploit Prediction Scoring System) scores from FIRST.org. Returns the 30-day probability and percentile rank of CVE exploitation. Filter by CVE ID(s), date, history window, or minimum score.

Exploit-DB Exploits Scraper

parseforge/exploit-db-exploits-scraper

Hunt down live security records from Exploit Db Exploits with identifiers, severity, affected products, descriptions and references. Trusted by SOC teams, threat intel researchers and DevSecOps pipelines. Run on demand or on a recurring schedule and feed every row into your favourite analytics or.